A backdoor to a building in Portland, Oregon — James Duncan Davidson Earlier today, I saw about how . Not for nefarious purposes, mind you. Almost certainly not. Furthermore, , as some reports have said—and which would be . No, they’ve simply been installing things in a way that let’s them retain root privileges so that they don’t have to bug you again when they want to change things up later. a very concerning tweet from Steve Streza Dropbox has been doing funky stuff inside of OS X/macOS it doesn’t look like they are storing a copy of your password really, really bad In other words, they effectively backdoor your system so that they don’t have to ask again if they can add or change things later on. After all, every time they ask permission, not only do they annoy the user, they let them consider saying no, which is always bad for numbers in a driven by the almighty gods of daily, weekly, and monthly active usage. company Regardless of the user experience argument of keeping things simple so that the user doesn’t have to make more decisions, there are two big problems with the way that does this: Dropbox Dropbox didn’t ask for the ability to modify my system again in new and novel ways without asking me. It’s a violation of trust. for bad actors to exploit. There are enough of these as it is. It’s an additional attack vector Furthermore. . It’s pretty cool stuff—heck, I want it now!—except for the part where they’ll install a kext without asking or telling you. Regardless of whether or not you want a closed source kernel extension running in your system—and you very well might to get the benefits of an infinite cloud based filesystem—it’s shitty to put one in on the sly. Dropbox is moving functionality into a kernel extension as part of Project Infinite It’s like instead of giving your plumber a key for the week to work on your kitchen, you give them permanent access so that they can add some toilets and another kitchen later when they feel like it, even if you didn’t ask. So, how do they do it? . Phil Stokes shows part of how it’s done Is it legit or not? . Ben from Dropbox gives their rationale on Hacker News Should you drop Dropbox on their ass for this? Maybe. Maybe not. I’m not the one to tell you whether the utility of Dropbox is worth the risk. Dropbox has been damn useful for a long time. Then again, there are alternatives. You’ll need to make up your own mind on this. Personally, I’m going to give life without Dropbox on my system a go. I’ll keep it for the cloud based file sharing, but will spend at least a few weeks without the nifty magic auto-sync bits. After that, I’ll re-evaluate. If you want to get rid of Dropbox, how do you do it? , but it no longer does the trick. Instead, you’ll get a lovely dialog box telling you that it can’t be deleted because some of its extensions are in use. : You have to unlink your Dropbox account first before you quit and uninstall Dropbox. So that means: Quitting and deleting it used to work and is well documented Dropbox’s help center provides the essential extra step Unlink your account in Dropbox preferences Quit Dropbox But wait! Before you go further, you’ll also want to get rid of the helpers. To do that, you’ll need to drop to the command line and— —execute the following: very carefully, that sudo part is messing around with fire sudo rm -rf /Library/DropboxHelperTools $ You careful with that sudo, right? Good. Now, you may or may not have the kernel extension installed. I didn’t, and here’s how I checked: were ls /Library/Extensions/Dropbox.kextls: /Library/Extensions/Dropbox.kext: No such file or directory $ If you do have the kext installed, you can nuke it—again, being careful with the sudo—like this: sudo rm -rf /Library/Extensions/Dropbox.kext $ Next, you’ll also want to clean up some stuff from your System Preferences: Remove the Dropbox login item from your user account Remove Dropbox from the Accessibility Privacy list Now, you’re ready to delete the Dropbox app and purge your trash. Then reboot and check. That do it. should Of course, this is probably not the only way to do it, but it’s the order I finally hit on to get Dropbox off my system. Your mileage may vary. Good luck and godspeed.
